UTM SSL VPN and GrandStream Phones

If they don't have a builtin user and password, you're out of luck with the UTM's implementation of OpenVPN.  There's no way to create a blank user with a blank password.

Cheers - Bob

That is what I was afraid of.  And they are telling me to just turn off the login/pass option on the OpenVPN server and just use certs.

That option doesn't exist in WebAdmin.  I'm no OpenVPN guru (and there is at least one here), but maybe you can achieve that from the command line with

cc set ssl_vpn user_auth_optional 1

Set it back to not-optional with

cc set ssl_vpn user_auth_optional 0

Did turning optional on allow you to connect from the phone and also from a PC or smart phone using authentication?

Cheers - Bob

Setting it optional wouldn't pass our audits I thought of that.

And now the grandstream devs are saying Sophos isn't openVPN at all because they call it SSL so I sent them screenshots of my openvpn client connected up.

Hi JayMan,

Wow, been using Grandstream for years and I didn't expect them to be that Obtuse about the OpenVPN that Sophos uses but calls it SSL VPN...

Are there any other options like L2TP with Radius auth?

Emile

only option they have is OpenVPN. via uploading the certs only.

These are the types of replies I am getting.

"

I kinda wish they would understand adding 2 fields and I could be buying 20-50 phones in short order.  2 fields can't be that hard to put in the firmware.

Hi Jayman,

My rebuttal to them is that they are using an insecure method of connecting via VPN. Setting up an open vpn server as to how you need it would be a security risk in my eyes. What do they say if you comment the security implications of hamstringing your security infrastructure to use deprecated VPN methods and deprecated/weak encryption protocols to perform the connection?

Sadly this sounds more like a political issue tban a technical one. Could you post an internal openvpn server that the UTM would forward the phones onto?

Emile

Funny you said that.    12hours ago I posted to them.

We cannot change our server side to remove logins/passwords. It is NOT a secure way to run a VPN. If you use only certs someone can get those certs and gain full access without logins to stop them as certs can be transferred via email and other methods with or without someones knowledge. 

Your phone firmware should provide a place to put logins/passwords it is 2 fields it shouldn't be very difficult to add rather than asking customers to redesigned there network infrastructure.

If I was able to change the server side I would need to have 200 VPN users in my company redownload all the configs to change the client side which I am not willing to do.

I made headway. It is now with the devs.

Hi JayMan,

That's great news! Tbh, I would love to use the Grandstream phones that I've deployed to our company in an SSL VPN fashion as that means I can hand a salesperson who switches locations regularly a phone which has ACLs that they can do premium rate calls only from HO IPs, atm I have to allow them to do anything from anywhere.

Would love to hear how it goes!

Emile

Hi JayMan,

That's great news! Tbh, I would love to use the Grandstream phones that I've deployed to our company in an SSL VPN fashion as that means I can hand a salesperson who switches locations regularly a phone which has ACLs that they can do premium rate calls only from HO IPs, atm I have to allow them to do anything from anywhere.

Would love to hear how it goes!

Emile

FYI it all works now on the newer grandstreams even the latest beta firmware came out with a field to put in openvpn options to solve for the 3600 SSL regen issue.